diff --git a/.gitignore b/.gitignore index 57006f1..54863fe 100644 --- a/.gitignore +++ b/.gitignore @@ -55,3 +55,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-3.0.2-hobbled.tar.gz /openssl-3.0.3-hobbled.tar.gz /openssl-3.0.5-hobbled.tar.xz +/openssl-3.0.7-hobbled.tar.gz diff --git a/0008-Add-FIPS_mode-compatibility-macro.patch b/0008-Add-FIPS_mode-compatibility-macro.patch index 0fac4eb..2e72999 100644 --- a/0008-Add-FIPS_mode-compatibility-macro.patch +++ b/0008-Add-FIPS_mode-compatibility-macro.patch @@ -12,24 +12,12 @@ default context. 3 files changed, 39 insertions(+) create mode 100644 include/openssl/fips.h -diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in -index 1036da9a2b..9d4896fcaf 100644 ---- a/include/openssl/crypto.h.in -+++ b/include/openssl/crypto.h.in -@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack_macros); - # include - # include - # include -+# include - - # ifdef CHARSET_EBCDIC - # include diff --git a/include/openssl/fips.h b/include/openssl/fips.h new file mode 100644 index 0000000000..c64f0f8e8f --- /dev/null +++ b/include/openssl/fips.h -@@ -0,0 +1,25 @@ +@@ -0,0 +1,26 @@ +/* + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * @@ -43,6 +31,7 @@ index 0000000000..c64f0f8e8f +# define OPENSSL_FIPS_H +# pragma once + ++# include +# include + +# ifdef __cplusplus @@ -58,10 +47,11 @@ index 0000000000..c64f0f8e8f diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c --- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200 +++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200 -@@ -488,6 +488,18 @@ static int test_property_list_to_string( +@@ -488,6 +488,19 @@ static int test_property_list_to_string( return ret; } - + ++#include +static int test_downstream_FIPS_mode(void) +{ + int ret = 0; diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch index 51c9d23..10e200c 100644 --- a/0011-Remove-EC-curves.patch +++ b/0011-Remove-EC-curves.patch @@ -5011,3 +5011,15 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov Title=prime256v1 curve tests PrivateKey=ALICE_cf_prime256v1 +diff -up openssl-3.0.7/test/recipes/15-test_ec.t.skipshort openssl-3.0.7/test/recipes/15-test_ec.t +--- openssl-3.0.7/test/recipes/15-test_ec.t.skipshort 2022-11-23 12:40:55.324395782 +0100 ++++ openssl-3.0.7/test/recipes/15-test_ec.t 2022-11-23 12:42:12.478094387 +0100 +@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key + + subtest 'Check loading of fips and non-fips keys' => sub { + plan skip_all => "FIPS is disabled" +- if $no_fips; ++ if 1; #Red Hat specific, original value is $no_fips; + + plan tests => 2; + diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch index 1a4ea0d..514ab67 100644 --- a/0032-Force-fips.patch +++ b/0032-Force-fips.patch @@ -7,6 +7,14 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c --- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 +++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include @@ -136,58 +136,18 @@ static int prov_already_activated(const return 0; } diff --git a/0035-speed-skip-unavailable-dgst.patch b/0035-speed-skip-unavailable-dgst.patch index 6d948dd..9256f7f 100644 --- a/0035-speed-skip-unavailable-dgst.patch +++ b/0035-speed-skip-unavailable-dgst.patch @@ -11,16 +11,3 @@ diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c if (!EVP_MAC_init(mctx, NULL, 0, NULL) || !EVP_MAC_update(mctx, buf, lengths[testnum]) || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac))) -@@ -1922,8 +1925,10 @@ int speed_main(int argc, char **argv) - if (loopargs[i].mctx == NULL) - goto end; - -- if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) -- goto end; -+ if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) { -+ EVP_MAC_CTX_free(loopargs[i].mctx); -+ loopargs[i].mctx = NULL; -+ } - } - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_HMAC], c[D_HMAC][testnum], lengths[testnum], diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch index 5c33a76..8a005e6 100644 --- a/0056-strcasecmp.patch +++ b/0056-strcasecmp.patch @@ -1,14 +1,54 @@ diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num --- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200 +++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200 -@@ -5425,8 +5425,8 @@ ASN1_item_d2i_ex - ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: - EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: +@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: --OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: --OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: -+OPENSSL_strcasecmp 5556 3_0_1 EXIST::FUNCTION: -+OPENSSL_strncasecmp 5557 3_0_1 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: ++OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: ++OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: +diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c +--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100 ++++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100 +@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char + #endif + } + +-int OPENSSL_strcasecmp(const char *s1, const char *s2) ++int ++#ifndef FIPS_MODULE ++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strcasecmp(const char *s1, const char *s2) + { + int t; + +@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c + return t; + } + +-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) ++int ++#ifndef FIPS_MODULE ++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) + { + int t; + size_t i; +diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t +--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100 ++++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100 +@@ -77,6 +80,7 @@ foreach my $libname (@libnames) { + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@.+$||; ++ s|\@.+$||; + # Return the result + $_ + } diff --git a/0080-CVE-2022-3602.patch b/0080-CVE-2022-3602.patch deleted file mode 100644 index 4f935e4..0000000 --- a/0080-CVE-2022-3602.patch +++ /dev/null @@ -1,399 +0,0 @@ -diff --git a/crypto/punycode.c b/crypto/punycode.c -index 385b4b1df4..b9b4e3d785 100644 ---- a/crypto/punycode.c -+++ b/crypto/punycode.c -@@ -123,7 +123,6 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, - unsigned int bias = initial_bias; - size_t processed_in = 0, written_out = 0; - unsigned int max_out = *pout_length; -- - unsigned int basic_count = 0; - unsigned int loop; - -@@ -181,11 +180,11 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, - n = n + i / (written_out + 1); - i %= (written_out + 1); - -- if (written_out > max_out) -+ if (written_out >= max_out) - return 0; - - memmove(pDecoded + i + 1, pDecoded + i, -- (written_out - i) * sizeof *pDecoded); -+ (written_out - i) * sizeof(*pDecoded)); - pDecoded[i] = n; - i++; - written_out++; -@@ -255,30 +254,35 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - */ - char *outptr = out; - const char *inptr = in; -- size_t size = 0; -+ size_t size = 0, maxsize; - int result = 1; -- -+ unsigned int i, j; - unsigned int buf[LABEL_BUF_SIZE]; /* It's a hostname */ -- if (out == NULL) -+ -+ if (out == NULL) { - result = 0; -+ maxsize = 0; -+ } else { -+ maxsize = *outlen; -+ } -+ -+#define PUSHC(c) \ -+ do \ -+ if (size++ < maxsize) \ -+ *outptr++ = c; \ -+ else \ -+ result = 0; \ -+ while (0) - - while (1) { - char *tmpptr = strchr(inptr, '.'); -- size_t delta = (tmpptr) ? (size_t)(tmpptr - inptr) : strlen(inptr); -+ size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr); - - if (strncmp(inptr, "xn--", 4) != 0) { -- size += delta + 1; -- -- if (size >= *outlen - 1) -- result = 0; -- -- if (result > 0) { -- memcpy(outptr, inptr, delta + 1); -- outptr += delta + 1; -- } -+ for (i = 0; i < delta + 1; i++) -+ PUSHC(inptr[i]); - } else { - unsigned int bufsize = LABEL_BUF_SIZE; -- unsigned int i; - - if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0) - return -1; -@@ -286,26 +290,15 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - for (i = 0; i < bufsize; i++) { - unsigned char seed[6]; - size_t utfsize = codepoint2utf8(seed, buf[i]); -+ - if (utfsize == 0) - return -1; - -- size += utfsize; -- if (size >= *outlen - 1) -- result = 0; -- -- if (result > 0) { -- memcpy(outptr, seed, utfsize); -- outptr += utfsize; -- } -+ for (j = 0; j < utfsize; j++) -+ PUSHC(seed[j]); - } - -- if (tmpptr != NULL) { -- *outptr = '.'; -- outptr++; -- size++; -- if (size >= *outlen - 1) -- result = 0; -- } -+ PUSHC(tmpptr != NULL ? '.' : '\0'); - } - - if (tmpptr == NULL) -@@ -313,7 +306,9 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - - inptr = tmpptr + 1; - } -+#undef PUSHC - -+ *outlen = size; - return result; - } - -@@ -327,12 +322,11 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - - int ossl_a2ucompare(const char *a, const char *u) - { -- char a_ulabel[LABEL_BUF_SIZE]; -+ char a_ulabel[LABEL_BUF_SIZE + 1]; - size_t a_size = sizeof(a_ulabel); - -- if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) { -+ if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) - return -1; -- } - -- return (strcmp(a_ulabel, u) == 0) ? 0 : 1; -+ return strcmp(a_ulabel, u) != 0; - } -diff --git a/test/build.info b/test/build.info -index 9d2d41e417..638f215da6 100644 ---- a/test/build.info -+++ b/test/build.info -@@ -40,7 +40,7 @@ IF[{- !$disabled{tests} -}] - exptest pbetest localetest evp_pkey_ctx_new_from_name\ - evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test evp_libctx_test ossl_store_test \ -- v3nametest v3ext \ -+ v3nametest v3ext punycode_test \ - evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test v3nametest v3ext \ - crltest danetest bad_dtls_test lhash_test sparse_array_test \ -@@ -290,6 +290,10 @@ IF[{- !$disabled{tests} -}] - INCLUDE[pkcs7_test]=../include ../apps/include - DEPEND[pkcs7_test]=../libcrypto libtestutil.a - -+ SOURCE[punycode_test]=punycode_test.c -+ INCLUDE[punycode_test]=../include ../apps/include -+ DEPEND[punycode_test]=../libcrypto.a libtestutil.a -+ - SOURCE[stack_test]=stack_test.c - INCLUDE[stack_test]=../include ../apps/include - DEPEND[stack_test]=../libcrypto libtestutil.a -diff --git a/test/punycode_test.c b/test/punycode_test.c -new file mode 100644 -index 0000000000..285ead6966 ---- /dev/null -+++ b/test/punycode_test.c -@@ -0,0 +1,219 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+ -+#include "crypto/punycode.h" -+#include "internal/nelem.h" -+#include "testutil.h" -+ -+ -+static const struct puny_test { -+ unsigned int raw[50]; -+ const char *encoded; -+} puny_cases[] = { -+ /* Test cases from RFC 3492 */ -+ { /* Arabic (Egyptian) */ -+ { 0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644, -+ 0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F -+ }, -+ "egbpdaj6bu4bxfgehfvwxn" -+ }, -+ { /* Chinese (simplified) */ -+ { 0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587 -+ }, -+ "ihqwcrb4cv8a8dqg056pqjye" -+ }, -+ { /* Chinese (traditional) */ -+ { 0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587 -+ }, -+ "ihqwctvzc91f659drss3x8bo0yb" -+ }, -+ { /* Czech: Proprostnemluvesky */ -+ { 0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074, -+ 0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D, -+ 0x0065, 0x0073, 0x006B, 0x0079 -+ }, -+ "Proprostnemluvesky-uyb24dma41a" -+ }, -+ { /* Hebrew */ -+ { 0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8, -+ 0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2, -+ 0x05D1, 0x05E8, 0x05D9, 0x05EA -+ }, -+ "4dbcagdahymbxekheh6e0a7fei0b" -+ }, -+ { /* Hindi (Devanagari) */ -+ { 0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D, -+ 0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939, -+ 0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947, -+ 0x0939, 0x0948, 0x0902 -+ }, -+ "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd" -+ }, -+ { /* Japanese (kanji and hiragana) */ -+ { 0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092, -+ 0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B -+ }, -+ "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa" -+ }, -+ { /* Korean (Hangul syllables) */ -+ { 0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774, -+ 0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74, -+ 0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C -+ }, -+ "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c" -+ }, -+ { /* Russian (Cyrillic) */ -+ { 0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E, -+ 0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440, -+ 0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A, -+ 0x0438 -+ }, -+ "b1abfaaepdrnnbgefbaDotcwatmq2g4l" -+ }, -+ { /* Spanish */ -+ { 0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070, -+ 0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070, -+ 0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061, -+ 0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070, -+ 0x0061, 0x00F1, 0x006F, 0x006C -+ }, -+ "PorqunopuedensimplementehablarenEspaol-fmd56a" -+ }, -+ { /* Vietnamese */ -+ { 0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B, -+ 0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068, -+ 0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067, -+ 0x0056, 0x0069, 0x1EC7, 0x0074 -+ }, -+ "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g" -+ }, -+ { /* Japanese: 3B */ -+ { 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F -+ }, -+ "3B-ww4c5e180e575a65lsy2b" -+ }, -+ { /* Japanese: -with-SUPER-MONKEYS */ -+ { 0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074, -+ 0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D, -+ 0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053 -+ }, -+ "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n" -+ }, -+ { /* Japanese: Hello-Another-Way- */ -+ { 0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F, -+ 0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D, -+ 0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240 -+ }, -+ "Hello-Another-Way--fc4qua05auwb3674vfr0b" -+ }, -+ { /* Japanese: 2 */ -+ { 0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032 -+ }, -+ "2-u9tlzr9756bt3uc0v" -+ }, -+ { /* Japanese: MajiKoi5 */ -+ { 0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059, -+ 0x308B, 0x0035, 0x79D2, 0x524D -+ }, -+ "MajiKoi5-783gue6qz075azm5e" -+ }, -+ { /* Japanese: de */ -+ { 0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0 -+ }, -+ "de-jg4avhby1noc0d" -+ }, -+ { /* Japanese: */ -+ { 0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067 -+ }, -+ "d9juau41awczczp" -+ }, -+ { /* -> $1.00 <- */ -+ { 0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020, -+ 0x003C, 0x002D -+ }, -+ "-> $1.00 <--" -+ } -+}; -+ -+static int test_punycode(int n) -+{ -+ const struct puny_test *tc = puny_cases + n; -+ unsigned int buffer[50]; -+ unsigned int bsize = OSSL_NELEM(buffer); -+ size_t i; -+ -+ if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded), -+ buffer, &bsize))) -+ return 0; -+ for (i = 0; i < sizeof(tc->raw); i++) -+ if (tc->raw[i] == 0) -+ break; -+ if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer), -+ tc->raw, i * sizeof(*tc->raw))) -+ return 0; -+ return 1; -+} -+ -+static int test_a2ulabel(void) -+{ -+ char out[50]; -+ size_t outlen; -+ -+ /* -+ * Test that no buffer correctly returns the true length. -+ * The punycode being passed in and parsed is malformed but we're not -+ * verifying that behaviour here. -+ */ -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)) -+ return 0; -+ /* Test that a short input length returns the true length */ -+ outlen = 1; -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) -+ || !TEST_str_eq(out,"\xc2\x80.b.c")) -+ return 0; -+ /* Test for an off by one on the buffer size works */ -+ outlen = 6; -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) -+ || !TEST_str_eq(out,"\xc2\x80.b.c")) -+ return 0; -+ return 1; -+} -+ -+static int test_puny_overrun(void) -+{ -+ static const unsigned int out[] = { -+ 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F -+ }; -+ static const char *in = "3B-ww4c5e180e575a65lsy2b"; -+ unsigned int buf[OSSL_NELEM(out)]; -+ unsigned int bsize = OSSL_NELEM(buf) - 1; -+ -+ if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) { -+ if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out))) -+ TEST_error("CRITICAL: buffer overrun detected!"); -+ return 0; -+ } -+ return 1; -+} -+ -+int setup_tests(void) -+{ -+ ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases)); -+ ADD_TEST(test_a2ulabel); -+ ADD_TEST(test_puny_overrun); -+ return 1; -+} -diff --git a/test/recipes/04-test_punycode.t b/test/recipes/04-test_punycode.t -new file mode 100644 -index 0000000000..de213c7e15 ---- /dev/null -+++ b/test/recipes/04-test_punycode.t -@@ -0,0 +1,11 @@ -+#! /usr/bin/env perl -+# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use OpenSSL::Test::Simple; -+ -+simple_test("test_punycode", "punycode_test"); diff --git a/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch b/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch deleted file mode 100644 index 660b237..0000000 --- a/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c342004e07fd2c03a672f79353d13554fe0ffdaf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= -Date: Tue, 13 Sep 2022 14:37:05 +1000 -Subject: [PATCH] EVP_PKEY_eq: regain compatibility with the 3.0.0 FIPS - provider - -Reviewed-by: Matt Caswell -Reviewed-by: Shane Lontis -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/19201) ---- - crypto/evp/p_lib.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c -index 170cb89cb0..c8c342b3e9 100644 ---- a/crypto/evp/p_lib.c -+++ b/crypto/evp/p_lib.c -@@ -339,9 +339,16 @@ int EVP_PKEY_eq(const EVP_PKEY *a, const EVP_PKEY *b) - if (a == NULL || b == NULL) - return 0; - -- if (a->keymgmt != NULL || b->keymgmt != NULL) -- return evp_pkey_cmp_any(a, b, (SELECT_PARAMETERS -- | OSSL_KEYMGMT_SELECT_KEYPAIR)); -+ if (a->keymgmt != NULL || b->keymgmt != NULL) { -+ int selection = SELECT_PARAMETERS; -+ -+ if (evp_keymgmt_util_has((EVP_PKEY *)a, OSSL_KEYMGMT_SELECT_PUBLIC_KEY) -+ && evp_keymgmt_util_has((EVP_PKEY *)b, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) -+ selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; -+ else -+ selection |= OSSL_KEYMGMT_SELECT_KEYPAIR; -+ return evp_pkey_cmp_any(a, b, selection); -+ } - - /* All legacy keys */ - if (a->type != b->type) --- -2.38.1 - diff --git a/openssl.spec b/openssl.spec index 287ab80..bc11f21 100644 --- a/openssl.spec +++ b/openssl.spec @@ -28,13 +28,13 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.0.5 -Release: 7%{?dist} +Version: 3.0.7 +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. -Source: openssl-%{version}-hobbled.tar.xz +Source: openssl-%{version}-hobbled.tar.gz Source1: hobble-openssl Source2: Makefile.certificate Source3: genpatches @@ -184,10 +184,10 @@ Patch77: 0077-FIPS-140-3-zeroization.patch Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2124845, https://github.com/openssl/openssl/pull/19182 Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch -#CVE-2022-3602 -Patch80: 0080-CVE-2022-3602.patch -#Provider interface fixes -Patch81: 0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch +# #CVE-2022-3602 +# Patch80: 0080-CVE-2022-3602.patch +# #Provider interface fixes +# Patch81: 0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch Patch82: 0082-Propagate-selection-all-the-way-on-key-export.patch Patch83: 0083-Update-documentation-for-keymgmt-export-utils.patch Patch84: 0084-Add-test-for-EVP_PKEY_eq.patch @@ -340,7 +340,8 @@ export HASHBANGPERL=/usr/bin/perl zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\ no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\ - shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' + shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\ + -Wl,--allow-multiple-definition # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update @@ -529,6 +530,13 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Dec 23 2022 Dmitry Belyavskiy - 1:3.0.7-1 +- Rebase to upstream version 3.0.7 +- C99 compatibility in downstream-only 0032-Force-fips.patch + Resolves: rhbz#2152504 +- Adjusting include for the FIPS_mode macro + Resolves: rhbz#2083876 + * Wed Nov 16 2022 Simo sorce - 1:3.0.5-7 - Backport patches to fix external providers compatibility issues diff --git a/sources b/sources index 98fbb23..32e6de8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.0.5-hobbled.tar.xz) = 2f5531d46a905af8d36bf81c18fa34ccc86f5bd66e6e4227bb17e2f926ef14f78057ab60cd9d55bb9d1bad3d5b56a71170e4a86708fd8352324db2e0747142cf +SHA512 (openssl-3.0.7-hobbled.tar.gz) = 3580f7c2f4b9f2fb0997ddaac31034a9ce2ee288ec1cc58dc48704f43a9116733d0b07c1b262ff55ce58ac89af4abb9bfd559e746338c7b497eb223c473f6751